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Application-Specific Information-Processing Method, System, and Apparatus 
CROSS-REFERENCE TO RELATED APPLICATIONS 



This application claims the benefit of the following U.S. Provisional Applications, 
all of which are hereby incorporated by reference, and the content of which are not 
necessarily identical to the content of this apphcation: 



COMMONLY OWNED AND PREVIOUSLY FILED 
U.S. PROVISIONAL PATENT APPLICATIONS 


Atty. Dkt. # 


Serial Number 


Title 


Filing Date 


501143.000005 


60/288,015 


Method and Apparatus for Shotgun 
Multiplication and Exponentiation 


May 2, 2001 


501143.000010 


60/300,957 


Method and Residue Calculation Using 
Casting Out 


June 26, 2001 


501143.000011 


60/300,955 


Add-Drop Layer 3 Ethernet Ring Switch 


June 26, 2001 


501431.000014 


60/326,266 


Application Specific Information Processing 
System 


October 1, 2001 


501143.000015 


60/326,252 


Efficient Use of DRAM-Based Devices For 
Small Discontiguous Memory Accesses 


October 1,2001 


501143.000016 


60/326,251 


Exponentiation Engine 


October 1,2001 


501143.000017 


60/326,250 


Method for Squaring 

- 


October 1,2001 



The current application shares some specification and figures with the foUowmg 
commonly owned and concurrently filed apphcations, all of which are hereby 
incorporated by reference: 
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COMMONLY OWNED AND CONCURRENTLY FE^ED 
U.S. NONPROVISIONAL PATENT APPLICATIONS 



Atty. Dkt. # 


Serial Number 


Title 


Filing Date 


501143.000008 


Not Assigned 


Ring Arithmetic Method, System, and 
Apparatus 


Not Assigned 



The benefit of 35 U.S.C. § 120 is claimed for all of the above referenced 
commonly owned applications. The contents of the apphcations referenced in the tables 
above are not necessarily identical to the contents of this application. 

All references cited hereafter are incorporated by reference to the maximum 
extent allowable by law. To the extent a reference may not be fully incorporated herein, 
it is incorporated by reference for background purposes and indicative of the knowledge 
of one of ordinary skill in the art. 

BACKGROUND OF THE INVENTION 
FIELD OF THE INVENTION 

The present invention relates generally to an information-processing system and 
in particular to an information-processing system for use in a network which processes 
information for use by one or more speciiBc applications. 

DESCRIPTION OF RELATED ART 

Advances in the field of application-specific information-processing systems have 
solved many issues. But problems remain. The present invention solves some of the 
remaining problems. 

An example of a traditional implementation of a network protocol stack includes a 
hardware-link layer — also called a transport layer — that verifies and delivers packets to 
a software protocol stack. Each packet is selected based on its fi-ame format and stripped 
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of any frame header that may be present. Each packet is then sent to the appropriate 
protocol stack and subsequently to the appropriate application. 

If the implementation is a single processor implementation, the processor 
shepherds each packet through each software stack, processing one packet at a time, and 
queuing other packets for later processing. Li a multiple processor implementation, each 
processor also acts on one packet at a time. Access to shared data structures is carefully 
serialized, so the total number of packets being processed is hmited to the number of 
processors available. 

One example is a TCP packet's handling on a TCP/IP Ethemet network. A 
hardware network interface card checks and delivers the incoming TCP packet to a 
software stack. The TCP packet's Ethemet frame header is removed, and the packet is 
sent to an IP stack. Then its IP header is verified and removed, and the packet is sent to a 
TCP stack. The packet's TCP header is verified and removed, and the packet's data is 
sent to an application. This process is used m many embedded devices. 

BRIEF SUMMARY OF THE INVENTION 

A preferred embodiment is an information-processing method for appHcation- 
specific processing of messages. A message is received. Whether the message is in a 
selected application format is ascertained. If not, the message is routed to a next location. 
If so, the message is routed to a selected application processor, processed by the 
processor, and routed to the next location. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The following drawings form part of the present specification and are included to 
further demonstrate certain aspects of the present invention. The figures are not 
necessarily drawn to scale. The invention may be better understood by reference to one 
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or more of these drawings in combination with the detailed description of specific 
embodiments presented herein. 

FIG. 1 shows a high-level diagram of an information-processing system, in 
accordance with an embodiment of the present invention. 

FIG. 2 shows a high-level diagram of a client to server proxy, in accordance with 
an embodiment of the present invention. 

FIG. 3 shows a high-level diagram of a server to client proxy, in accordance with 
an embodiment of the present invention. 

FIG. 4 shows a lower-level diagram of a section of FIG. 2, in accordance with an 
embodiment of the present invention. 

FIG. 5 illustrates how appUcation messages are parsed across TCP packets, in 
accordance with an embodiment of the present invention. 

FIG. 6 shows a high-level diagram of a fabric and application service devices, in 
accordance with an embodiment of the present invention. 

FIG. 7 shows the organization of a packet protected by IPSec in tunnel mode, in 
accordance with an embodiment of the PRIOR ART. 

FIG. 8 shows a block diagram of a possible VPN device, in accordance with an 
embodiment of the present invention. 

FIG. 9 shows a possible VPN scenario, in accordance with an embodiment of the 
present invention. 

FIG. 10 shows a possible VPN device implementation, in accordance with an 
embodiment of the present invention. 

FIG. 1 1 shows an outgoing packet handler, in accordance with an embodiment of 
the present invention. 
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DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS 



In a preferred embodiment, an information-processing system encodes and 
decodes data to and from a network protocol. Processing steps select and prepare the 
data for use by one or more specific applications. 

In a preferred embodiment, an inforaiation-processing system encodes and 
decodes multiple network protocols. The information-processing system uses data being 
carried over the network for an application. The information-processing system includes 
hardware state machines or simple programmable processors as modules. Each such 
module specializes in a specific task. The modules are interconnected to process data in a 
generally pipeUned fashion. Thereby, module specialization contributes to the 
information-processing system's capability of processing networking traffic at very high 
speeds. 

Modules are described as physically distinct entities for convenience, but they are 
computational units. As such, they may have any physically adequate embodiment. 
Some examples include being embodied in software running on a general processing 
device, in hardwired circuits, in a combination of software and hardware, etc. Therefore, 
any number of modules may be encapsulated in a single IC. Similarly, the functionahty 
of a single module may be enabled using several physical devices. Modules are 
described by the computations they perform and not by the techniques, mechanisms, and 
combinations and subcombinations thereof that achieve the specified computations. In a 
preferred embodiment, the modules are hardware state machines or simple programmable 
processors. 

FIG. 1 shows a high-level diagram of an information-processing system, 
according to a preferred embodiment. In this embodiment, network data in the form of 
packets pass from the client side through a physical-link-level layer to the information- 
processing system — also called a pipelined engine — where the packets are processed 
using shared resources, such as shared memory and queues, and then passed to the server 
side. 
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In a preferred embodiment, multiple networking modules work in conjunction. A 
packet is received at an information-processing system from a physical-link-level layer 
and then passes through the modules, typically in sequential fashion. The networking 
modules decode various network protocol frame headers. The appUcation modules 
process the data contained in the packets. 

Some examples of network protocols are described in Appendix A of this 
description. It is contemplated that for any message-based network protocol, an 
embodhnent could be implemented to process messages of that protocol without 
departing from the spirit of the invention. 

Application streams can have state information that is collected and processed 
over the lifetime of the application stream. In some preferred embodiments, an 
apphcation service device (ASD) performs a fimction on one or more apphcation 
streams. Examples of ASDs include SSL/TLS processors, IPSEC processors, TCP 
offload engines, content accelerators, firewalls, load balancers, IP-based storage devices, 
etc. 

State information is collected from each packet to encrypt or decrypt subsequent 
packets. Typically, increasing bandwidth is difficult, further increasing the importance of 
achieving higher speeds via other solutions. As illustrated in FIG. 6, Group B, an ASD 
may perform a service via a number of connected devices. For example, a service that 
requires multiple tasks could be implemented using a different device to perform each 
service. In a preferred embodiment, an SSL/TLS device handles SSL/TLS handshakes 
and encryptions over a TCP/IP network. The SSL/TLS device includes a handshake unit 
and a data encryption unit. The handshake unit performs the handshake, while the data 
encryption unit performs encryption. 

In a preferred embodiment, a collection of fabric elements is included in a fabric. 
The fabric switches each application stream to an appropriate appUcation service device. 
An application stream is a stream of appUcation data between a set of end points. 
Examples of appUcation streams include an SSL/TLS connection between a web browser 
and a web server, e-mail transfers, etc. hi this preferred embodiment, the data from each 
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application stream is kept separate from the data of other application streams. 
Application data can originate at any of the end points and flow to any other end point. 
Typically, an application stream can be processed by a subset of the ASDs. An example 
of this is a session in which all data packets of an SSL/TLS session require handling by 
the particular ASD that handled that session's SSL/TLS handshake. 

FIG. 6 illustrates an embodiment system where packets are gathered from one or 
more different networks, processed by ASDs and passed out to one or more networks for 
ftirther processing. Related packets may arrive over different networks. The fabric 
elements in Group A are responsible for gathering information from related packets and 
routing them to the appropriate ASDs in Group B. The elements in Group C are 
responsible for taking the processed output from the ASDs and passing them on to one or 
more networks. 

Group A preprocessing elements are each responsible for receiving packets from 
a network. There may be one or more Group A elements. For example, there will 
typically be more than one Group A element in a large installation where multiple 
network connections are used to avoid a single point of failure. The Group A 
preprocessing elements are responsible for routing different type of packets to different 
ASDs in Group B. 

Group B ASDs are each speciaUzed protocol processors. One or more may be 
SSL/TLS processors, and one or more may be VPN processors. Group C elements are 
responsible for load balancing streams of packets from the ASDs to backend servers. 
There may be one or more Group C elements. 

So Group A and Group C represent a fabric that includes fabric elements. As 
stated above, Group B represents ASDs. Referring now to a preferred embodiment 
represented by Group A, Group B, and Group C, each module processes a single packet 
or data block at a time. The result of the processing is then output from the module and 
can then be passed to another module for fiirther processing. The modules have access to 
a shared memory area, which need not be the case in every preferred embodiment. The 
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modules also notify each other with messages about global state change conditions, 
which need not be the case in every preferred embodiment. 

Referring now to a preferred embodiment depicted in FIG. 1, an information- 
processing system may be implemented as a pipeline. In the pipeline, modules are 
related sequentially such that the output of each module — except the last module — is 
typically the input of its succeeding module. However, the modules are adapted to make 
decisions and accordingly the pipeline analogy does not apply absolutely. While the 
general flow of information will typically be from one module to the next in a linear 
sequence, the relatedness of the modules creates a more complex connectivity design 
than a simple pipeline. 

In a preferred embodiment, each module processes a single packet at a time, and 
each packet is processed by a single module at a time. Each module is assigned a time 
budget, so that the process(es) performed by the module are completed in a known 
number of clock cycles. The pipeline gates the flow of packets through the modules so 
that as each module outputs a packet, the module receives a new packet for processing. 
Each module's time budget is set relatively small in the design stage so that module 
operations are rendered relatively simple. Therefore, design of each module is driven by 
its time budget, network speed requirement, packet size, and task complexity. 

For example, in FIG. 2, the Session Manager module establishes a new 
connection in processing a SYN packet. SYN packets are exchanged in establishing a 
TCP connection. Simultaneously, the Evaluator module checks a TCP packet to 
determine if it is in-sequence or out-of-sequence and the Packet Filter module checks the 
header of a packet to determine to which of the other modules the packet should be 
forwarded. 

There are many advantages to this design approach, some of which are described. 
The modules are simpler and relatively independent which makes them easier to specify, 
design, and test. Also, the information-processing system may be tailored to a specific 
application or set of applications so that network packets that are part of different 
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application streams can be quickly passed-thru or dropped without affecting the 
performance of the rest of the device. 

For example, in a preferred embodiment, SSL/TLS information is processed. 
UDP packets and packets for non-managed ports are filtered out by the packet filter 
module, so they are not processed by any otiier modules. This design characteristic 
makes it easier to quantify the performance characteristic of each module and the entire 
information-processing system. 

In a preferred embodiment of the invention, represented by FIG. 2, an 
information-processing system has been designed to process SSL/TLS connections. In 
this SSL/TLS information-processing system, a certificate table is defined accordingly. 
Each entry in the certificate table can contain an external IP address, a port number, 
certificate information, a server IP address, and a server port number. The external IP 
address and port number constitute a managed port that is used by each cUent attempting 
to establish an SSL/TLS connection. The certificate information contmns a public 
certificate and associated private keys necessary for the SSL/TLS handshake. When a 
connection is made with a cUent over the managed port for an entiy, a matching 
connection is made to the server port that is given by the server IP address and port 
number. Any data that arrives fi-om the chent over the SSL/TLS connection is decrypted 
and then forwarded to the server over the matching connection. 

In the context of this description, two tasks are said to be processed concurrently 
if both tasks are processed at generdly the same time, preferably in the same clock cycle. 
For example, in FIG. 2, a Packet Filter module can be determining whetiier a packet is for 
a managed port concurrently with an Evaluator module determining whetiier another 
packet is in-sequence or out-of-sequence. 

In a preferred embodiment, an Evaluator module determines whether a packet is 
in-sequence or out-of-sequence. A sequential stream of packet-based data includes 
packets, each having an explicit or implicit sequence number specifying its place in tiie 
sequential sti:eam. This characteristic allows the packets to be delivered in any order and 
requires the receiver to place the packets in order. For example, each TCP packet 
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contains an explicit sequence number in its TCP frame header. Out-of-sequence packets 
can occur in many ways. For example, if a packet is dropped due to congestion, 
hardware failure, or other cause, the transmitter will not receive an acknowledgement of 
receipt of the dropped packet. After a period of time without receipt of an 
acknowledgement, the transmitter will resend the packet. 

In a preferred embodiment, an information-processing system SSL/TLS proxy has 
two elements: a client to server (CS) proxy and a server to client (SC) proxy. Modules 
for the CS proxy, represented by FIG. 2, may be implemented as follows. 

A CS Packet Filter module filters ff packets arriving from the client. If an 
arriving packet is not intended for a managed port, it is routed immediately to the server. 
SYN, FIN and RST packets are sent to a CS Session Manager module for establishing or 
breaking a connection, as appropriate. Arriving Ack packets are directly forwarded to the 
CS Inbound Ack Handler. 

The CS Session Manager module is responsible for accepting the client's TCP 
connections from the CS Packet Filter and will estabUsh a matching connection with the 
server in accordance with the Certificate table. The CS Session Manager will terminate a 
connection upon receipt of a FIN or RST packet or upon time-out. 

The CS Packet Fiher module sends each IP packet fragment to a CS 
Fragmentation Handler module. Once all the fragments of a fragmented packet are 
received, the fragmented packet is reassembled and sent back to the CS Packet Filter 
module for processing. 

SSL/TLS handshake messages are created in response to handshake messages 
from the client. They are sent in reply to the client via the CS Outbound Ack Handler 
module. 

TCP packets are sent to a CS Evaluator module for determination of whether they 
are in-sequence or out-of-sequence. In-sequence packets are sent to an CS AppUcation 
Message Parser module. Out-of-sequence packets are sent to a CS Packet Sequencer 
module. The CS Packet Sequencer module re-sequences packets and then passes them on 
in proper sequence to the CS Application Message Parser module for fiulher processing. 
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TCP packets can forni a stream of data that can contain SSL/TLS messages. As 
shown in FIG. 5, the boundaries of a TCP packet do not necessarily align with the 
boundaries of an SSL/TLS message. The CS AppHcation Message Parser module is 
responsible for combining and splitting TCP packets to form SSL/TLS messages. In 
FIG. 2, the CS Application Message Parser module sends packets to the CS Application 
Block module, and the CS Application Block module sends packets to the Results 
Processor. The communication relationships of these tiiree modules are represented at a 
lower level in FIG. 4. The CS Application Message Parser module sends SSL/TLS 
handshake packets to a CS SSL/TLS Connection Manager module, and SSL/TLS data 
packets to a CS SSL/TLS Crypto Block module. 

The CS SSL/TLS Connection Manager module performs an SSL/TLS handshake 
using Certificate Information for this managed port from a Certificate Table. The CS 
SSL/TLS Connection Manager module receives all tiie handshake messages from the 
cUent and creates handshake messages in response. The output from the CS SSL/TLS 
Connection Manager module will be to establish an SSL/TLS connection or refuse it. 
This block contains the public key cryptographic elements necessary for SSL/TLS. 

The CS SSL/TLS Crypto Block module first receives SSL/TLS data messages 
from the client over an established SSL/TLS connection and then encryption processes 
the SSL/TLS data messages. The encryption processed SSL/TLS data messages are 
subsequently output to the CS Results Processor module. 

The CS Results Processor module receives the output of the CS SSL/TLS 
Connection Manager module and SSL/TLS Crypto Block module. The CS Results 
Processor module sends decrypted SSL/TLS data to the server via the CS Inbound Ack 
Handler module. 

The CS Inbound Ack Handler module and the CS Outbound Ack Handler module 
are responsible for tracking the Acks for packets sent out over the network to the server 
or cUent, respectively. Ack packets are sent over the network to the cUent via the CS 
Outbound Ack Handler module. If an Ack is not received within a set period of tune, the 
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packet is resent. If an Ack is not received after repeated attempts, the session is 
terminated and an error condition is raised. 

In the same preferred embodiment, modules for the server to chent (SC) proxy, 
represented by FIG. 3, may be implemented as follows. 

An SC Packet Filter module receives packets from the server. For each packet, an 
SC Packet Filter determines whether the packet is a TCP packet and whether the packet is 
intended for the proxy server. If the packet is not a TCP packet that is intended for the 
proxy server, the packet is forwarded immediately out to the client. If the packet is an 
FIN packet or an RST packet, it is sent to an SC Session Manager module. 

In this preferred embodiment, the server never connects to the proxy. Therefore, 
the SC Session Manager does not handle SYN packets: connection attempts are rejected 
immediately. Rather, the SC Session Manager module only manages FIN packets, RST 
packets, and time-out packets that terminate a session. The CS Session Manager is 
notified about these Session termination events. 

The SC Packet Filter module sends each IP packet fragment to an SC 
Fragmentation Handler module (not shown in FIG. 3). Once all the fragments of a 
fragmented packet are received, the fragmented packet is reassembled and sent back to 
the SC Packet Filter module for processing. 

TCP packets are sent to an SC Evaluator module for determination of whether 
they are in-sequence or out-of-sequence. In-sequence packets are sent to an SC SSL/TLS 
Crypto Block module. Out-of-sequence packets are sent to an SC Packet Sequencer 
module. The SC Packet Sequencer module re-sequences packets and then passes them on 
in proper sequence to the SC SSL/TLS Crypto Block module for further processing. 

The SC Crypto Block module encrypts the data from each incoming TCP packet 
and places the encrypted data in an SSL/TLS message. The SC Crypto Block module 
then forwards the SSL/TLS message to the SC Results Processor module. 

The SC Results Processor module places the SSL/TLS message in a TCP packet 
frame and sends it to the SC Ack Handler module. 
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The SC Ack Handler module sends the TCP packet to the client over the Unk 
transport layer and awaits an Ack for a time period. If an Ack is not received within the 
time period, the packet is resent. Repeated failiires causes the SC Ack Handler module to 
declare an error event and close the connection. 

A preferred embodiment also provides for superior bandwidth scaling. The local 
service devices can operate at a lower bandwidth. A simpler design may be used to 
accomplish complex application processing, with a simpler implementation. ASDs may 
be connected in parallel as in FIG. 6, Group B to achieve superior aggregate bandwidth. 
And they may be connected serially to achieve superior aggregate capacity. Where each 
ASD is capable of a certain quantity of bandwidth (x), and several devices (n) are 
connected to the fabric as in FIG. 6, Group A the combined system achieves n times x 
bandwidth. 

This preferred embodiment furthermore provides better path resiUency. An 
application stream can arrive over multiple networks and channels, where the fabric 
operationally combines them. Packets of a single appUcation stream will be sent to the 
same ASD. Where different streams arrive at the fabric having different protocols, the 
data is converted to a single protocol. For example, where an ASD is only capable of 
processing IPV4 and that ASD interfaces with a network carrying IPV6 traffic, fabric 
elements are used to perform the conversion between IPV6 and IPV4. 

One embodiment is a tunnel-mode IPSec VPN. FIG. 7 shows an example of an 
IP packet protected by IPSec in turaiel mode. The outer IP header is used to actually 
transmit a packet over an unsecured network. One unsecured network is the Intemet. 
The IPSec header contains the authentication information. 

Security Associations (SA) are the contract between the two ends of an IPSec 
connection. SAs determine the specific IPSec protocols used to secure packets, keys, and 
the duration for which the keys are valid. Each connection has a pair of SAs, one for 
incoming packets and one for outgoing packets. An SA database (SADB) is used to hold 
the SA. 
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FIG. 8 is a block diagram of a possible VPN device. It connects a secured 
network (accessible only by trusted parties) to an unsecured network. The device (1) 
provides the protection necessary to authenticate clients and (2) protects the data on the 
unsecured network by encrypting packet contents. 

The VPN device offers secure channels over the unsecured network. It is possible 
that unsecured channels are also allowed between clients on the unsecured network and 
clients on the secured networks. Those channels, if they travel through the VPN device, 
can be passed through without interference. 

FIG. 9 shows an embodiment where a VPN device is used. Packets transmitted 
from Client A to Client B — and from Client B to Client A — over the Internet, an 
unsecured network, are protected by the IPSec authentication and encryption services 
offered by the VPN device on the Client B side and possibly by software on the CUent A 
side. 

When the VPN device receives a packet from Client A over the unsecured 
network, it authenticates the sender using the IPSec header, decrypts the packet contents, 
and passes the decrypted packet over the secured network to the receiving CUent B using 
the inner IP header. 

When the VPN device receives a packet from Client B over the secured network, 
it encapsulates the entire packet by encrypting it, adding an IPSec header, adding an outer 
IP header, and transmits it over the unsecured network. 

Fig. 1 0 is a block diagram of a possible VPN device implementation for incoming 
packets. A packet filter is responsible for receiving IP packets, recognizing which ones 
are on secured channels, as well as which have been fragmented. Packets for unsecured 
channels are sent on a bypass path directly to the transmit block for transmission to the 
secured network. Fragmented IP packets are sent to a fragmentation handler that FIG. 10 
does not show. Packets for secure channels are sent to the IPSec authentication manager. 
The IPSec authentication manager authenticates the client transmitting the packet, and 
passes the contents of the packet, including the inner IP header, TCP header, and data 
blocks, to the decryption block. The authentication manager also communicates with the 
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SADB block to retrieve the incoming S A. The authentication manager may comprise 
multiple blocks each responsible for a specific task involved witii managmg SAs. 

The decryption block decrypts the packet content using the decryption algorithm 
and other information, as specified by the authentication manager. The decrypted packet 
is then transmitted on the secured network by the transmit block. 

Each block described must process a packet within a specific time period. If the 
processing within a block is too complicated to meet its time budget, it must be spht and 
then component blocks should meet the time budget for individual packets. Since each 
block is capable of processing different packets at the same time, total system throughput 
in terms of packets per time period goals should be met. 

FIG. 1 1 describes an outgoing packet handler. The packet filter recognizes 
whether a packet is for a secured channel If not, the packet is immediately routed to the 
transmit block. Otherwise, the IPSec session manager communicates with the SADB 
manager to fetch the necessary outgoing SA for the corresponding secure channel. The 
session manager gathers and builds the necessary information for authenticating this 
packet. 

The Encryption block takes the authentication information, builds the outer IP 
header and IPSec header, and encapsulates the received packet to organize the IPSec 
packet as shown in FIG. 7. Under certain conditions, the outgoing packet could be big 
enough to be fi-agmented into two encapsulated packets. The transmit block then 
transmits the IPSec encapsulated packet onto the unsecured network. 

As will be recognized by those skilled in the art, the innovative concepts 
described in the present application can be modified and varied over a tremendous range 
of apphcations, and accordingly the scope of patented subject matter is not limited by any 
of the specific examples given. For example, an ASD, with its described functions, could 
be physically incorporated into a firewall device, or could be incorporated into a network 
interface device that is physically located in a server system. Multiple ASDs can be 
implemented as one physical apparatus. ASDs could perform other data processing tasks 
instead of or in addition to decryption tasks. 
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Any element in a claim that does not explicitly state "means for" performing a 
specified function, or "step for" performing a specific fimction, is not to be interpreted as 
a "means" or "step" clause as specified in 35 U.S.C. § 112, 1 6. In particular, the use of 
"step of in the claims herein is not intended to invoke the provision of 35 U.S.C, § 1 12, 

It should be apparent from the foregoing that an invention having significant 
advantages has been provided. While the invention is shown in only a few of its forms, it 
is not limited to those but is susceptible to various changes and modifications without 
departing from the spirit of the invention. Furthermore, while many contemplated 
modifications and variations have been explicitly referenced in this detailed description, 
they are not intended to be an exclusive listing of modifications and variations. It is 
contemplated that variations and modifications could be implemented to implement 
innumerable different preferred embodiments without departing from the spirit or scope 
of the claimed invention, and it is contemplated that such would be obvious to one of 
ordinary skill in the art. 

APPENDIX A — GLOSSARY 

This Glossary defines words as they are used throughout this application. This 
Glossary lists base words rather than word variations. But the meanings of word 
variations — such as "connecting," "connect," and "connected" for the base word 
"connection" — are also given meaning according to their logical relationship to the base 
word. 

"=" means equality or congruence, depending on the context This is clear to 
typical practitioners of this technical area. 
"-" means approximately. 

"algorithm" means a process for completing a task. An encryption algorithm is 
the process, typically with mathematical characteristics, to encrypt and decrypt messages. 

"ARP" means Address Resolution Protocol. To map an IP address into a 
hardware address, a computing device uses the ARP protocol which broadcasts a request 
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message containing an TP address, to which a target computing device repUes with both 
the original IP address and the hardware address. 

"Asymmetric encryption" means encryption used in a public-private key 

cryptosystem. 

"Asymmetric key cipher" means a pubUc-private key cryptography system. 

"Authentication" means the process of verifying that a file or message has not 
been altered m route from the distributor to the recipient(s). 

"Cipher" means a cryptographic algorithm used to encrypt an decrypt files and 
messages. 

"Ciphertext" means the disguised (or encrypted) file or message. 

"Computing device" means a device having at least one processor and at least one 
memory device, wherein the processor can process data that can be stored in the memory 
device before and/or after processing, or a group of devices having that capacity in 
combination. By this definition, examples of a computing device include computer 
personal computer, pahn computing device, notebook computer, server, mainframe, 
network of computing devices with coordinated processing or storage, network of 
components functioning together as a computing device wherein any single component 
may not be a computing device in its own right, etc. As another example, components of 
a computing device may be coimected across the Intemet. Other examples of computing 
devices could include boards, chips, exponentiators, multipliers, etc. 

"Coimection" means any coimection that is adapted to carry communication, 
whatever the supporting technology. Examples of connections include hard wire 
connections such as phone lines, Tl lines, DSL, fiber optic, Ethemet, twisted pair, etc. 
Other examples of connections include wireless connections such as those operating by 
electromagnetic waves, wireless optics (e.g., infrared), etc. Further examples are a 
logical connection between two processes on the same system, and a connection between 
two processes sharing a common memory space. 
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"Cryptanalysis" means the art of breaking cryptosystems. It also means the 
process of looking for errors or weaknesses in the implementation of an algorithm or of 
the algorithm itself 

"Cryptography" is the art of creating and using cryptosystems. 

"Cryptosystem" means the entire process of using cryptography. This includes 
the actions of encrypting and decrypting a file or message. It also means authenticating 
the sender of an e-mail message. 

"Decryption" means ^y process to convert ciphertext back into plaintext. 
Decrypting is synonymous to decoding. 

"DES" means the Data Encryption Standard. It is a cipher developed by the 
United States government in the 1970s to be the official encryption algorithm of the 
United States. 

"Digital signature" means systems that allow people and organizations to 
electronically certify such features as their identity, then ability to pay, or the authenticity 
of an electronic document. 

"Encryption" means any process to convert plaintext into ciphertext. Encrypting 
is synonymous to encoding. 

"FTP" means File Transfer Protocol. FTP enables transferring of text and binary 
files over TCP connections. FTP allows transferring files according to a strict mechanism 
of ownership and access restrictions. It is now one of the most commonly used protocols 
over the Internet. 

"Hammmg weight" means the number of "1" bits in the binary representation of a 
number. 

"HTTP" means Hyper Text Transfer Protocol. It is a protocol used to transfer 
hypertext pages across the World Wide Web. 

"IP" means Intemet Protocol, and is the underlying protocol for the other Internet 
protocols. IP defines the means to identify and reach a target computer on the network. A 
unique number known as an IP address identifies each computing device in the IP world. 
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"IPSec" means Internet Protocol Security. It is a standard for security at the 
network or packet-processing layer of network communication. IPSec provides two 
choices of security service: Authentication Header (AH), which essentially allows 
authentication of the sender of data, and Encapsulating Security Payload (ESP), which 
supports both authentication of the sender and encryption of data. IPSec is a suite of 
protocols that protect client protocols of IP, such as TCP. IPSec describes mechanisms 
that provide data source authentication, data integrity, confidentiality and protection 
against replay attacks. IPSec provides transport mode and tunnel mode operation. Some 
embodiments provide only tunnel mode operation, and others offers a more complete 
IPSec implementation. 

"iSCSI" is a software package that emulates SCSI protocols, but the connection 
method is via an IP network instead of a direct SCSI compatible cable. This is one 
example of IP-based storage. 

"Key" means a collection of bits, usually stored in a file, which is used to encrypt 
or decrypt a message. 

"Network protocol" means a standard designed to specify how computers 
interact and exchange messages. It usually specifies the format of the messages and how 
to handle errors. The following Internet protocols are examples of network protocols: 
ARP, FTP, HTTP, BP, NNTP PPP, SLIP, SMTP, SNMP, TCP, Tehiet, and UDP. 

"NNTP" means Network News Transfer Protocol. It is a protocol used to carry 
USENET postings between News clients and USENET servers. 

"PGP" means Pretty Good Privacy. It is a public-private key cryptosystem that 
allows users to more easily integrate the use of encryption in their daily tasks, such as e- 
mail protection and authentication, and protecting files stored on a computer. PGP is 
available for firee to individual home users. 

"Plaintext" means the original message or file. After a file or message has been 
encrypted and then decrypted you should end up with the original file or message, 

"PPP" means Point-To-Point protocol, and is a protocol for creating a TCP/IP 
connection over both synchronous and asynchronous systems. PPP provides connections 
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for host-to-network or router-to-router. It also has a security mechanism. PPP is well 
known as a protocol for connections over regular telephone Unes using modems on both 
ends. This protocol is widely used for connecting personal computers to the Internet. 

"Private key" means the private key of a public-private key cryptosystem. This 
key is used to digitally sign outgoing messages and is used to decrypt incoming 
messages, 

"Public key" means the public key of a public-private key cryptosystem. This key 
is used to confirm digital signatures on incoming messages or to encrypt a file or message 
so that only the holder of the private key can decrypt the file or message. 

"Public key cryptosystem" means an asymmetric encryption algorithm in which it 
is infeasible to derive one key from the other. 

"Public-private key cryptosystem" means a cryptosystem that uses two different 
keys to encrypt and decrypt messages and files. The two keys are mathematically related 
to each other, but deriving one key from the other is infeasible. One key is a public key 
and one key is a private key. The pubhc key is usually distributed to oflier users, and the 
private key is usually kept secret, 

"Ring arithmetic" means an arithmetic of mathematical structures in which 
addition, subtraction, multipUcation, and their obvious consequences such as 
exponentiation, have the properties and interrelationships usually encountered in high 
school algebra, 

"SCSI" is an intelligent protocol that enables data blocks to be read at high speed 
from or sent at high speed to storage devices such as disks or tape drives. Early 
implementations of SCSI used ribbon cable and industry standard logic levels. 

"Security association" means a relationship between two or more entities that 
describes how the entities will utiUze security services to communicate securely. This 
relationship is represented by a set of information that can be considered a contract 
between the entities. The information must be agreed upon and shared between all the 
entities. Security association is commonly abbreviated SA. 
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"Shotgun multiplication" means a process like that described in this application 
for performing fast computations by performing processing in mathematically 
independent units, taking advantage of more than one basis and precomputed operands, 
and accommodating iterative problems. 

"SLIP" means Serial Line Internet Protocol, and is a point-to-point protocol to use 
over a serial connection, a predecessor of PPP. There is also an advanced version of this 
protocol known as CSLIP (compressed serial line internet protocol) that reduces 
overhead on a SLff connection by sendmg just header information when possible, thus 
increasing packet throughput. 

"SMTP" means Simple Mail Transfer Protocol, and is dedicated to sending e-mail 
messages originating on a local host to a remote server over a TCP connection. SMTP 
defines a set of rules that allows two programs to send and receive e-mail over the 
network. The protocol defines the data structure to dehver with information regarding the 
sender, the recipient(s) and the e-mail's body. 

"SNMP" means Simple Network Management Protocol. It is a simple protocol 
that defines messages related to network management. Through the use of SNMP, 
network devices such as routers can be configured by any host on their network. 

"SSL" means Secure Sockets Layer, and is a trademark of Netscape. It is a 
program layer created by Netscape for managmg the security of message transmissions in 
a network. The concept is that the programming for keeping messages confidential is to 
be contained in a program layer between an application (such as a Web browser or 
HTTP) and the Intemet's TCP/IP layers. The "sockets" part of the term refers to the 
sockets method of passing data back and forth between a client and a server program in a 
network or between program layers in the same computer. 

"SSL/TLS" means compatible with SSL and with TLS. 
"Symmetric key" means the key of a symmetric key cryptosystem. The 
symmetric key is used to encrypt a file or message and also to decrypt the file or 
message. 
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"Symmetric key cryptosystem" means a cryptosystem that uses one key to lock 
and unlock — encrypt and decrypt — messages and files. The sender must posses the 
key to encrypt a file or message, and the recipient(s) must possess the key to decrypt the 

file or message. 

"TCP" means Transmission Control Protocol. Like UDP, TCP is a protocol that 
enables a computer to send data to a remote computer. But unlike UDP, TCP is reliable 
— packets are guaranteed to wind up at their target in the correct order. 

"Tehiet" is a terminal emulation protocol for use over TCP connections. It enables 
users to login to remote hosts and use their resources firom the local host. 

"TLS" means Transport Layer Secxirity. It is the successor protocol to SSL, 
created by the Internet Engineering Task Force (IETF) for general communication 
authentication and encryption over TCP/IP networks. TLS version 1 is nearly identical 
with SSL version 3, providing data integrity and privacy on a communications link over 
the Intemet. It allows client-server appUcations to communicate and is designed to 
prevent eavesdropping, message forgery, and interference. 

"TOE" means TCP Offload Engine. TOE technology typically takes the server 
CPU out of I/O processing by shifting TCP/IP processing tasks to a network adapter or 
storage device. This leaves the CPU fi-ee to run its applications, so users get data faster. 

"Triple DES" means a method of improving the strength of the DES algorithm by 
using it three times in sequence with different keys. 

"UDP" means User Datagram Protocol. It is a simple protocol that transfers 
datagrams (packets of data) to a remote computer. UDP doesrft guarantee that packets 
will be received in the order sent or that they will arrive at all. 
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